Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2023-41953
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
WordPress ProfilePress plugin <= 4.13.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in ProfilePress Membership Team ProfilePress.This issue affects ProfilePress: from n/a through 4.13.1.

Affected products

wp-user-avatar
  • =<4.13.1

Matching in nixpkgs

pkgs.wordpressPackages.plugins.wp-user-avatars

CVE-2024-53785
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
WordPress Chatter plugin <= 1.0.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Alexander Volkov Chatter.This issue affects Chatter: from n/a through 1.0.1.

Affected products

chatter
  • =<1.0.1

Matching in nixpkgs

pkgs.chatterino2

Chat client for Twitch chat

pkgs.chatterino7

Chat client for Twitch chat

pkgs.haskellPackages.chatter

A library of simple NLP algorithms

pkgs.typstPackages.chatter_0_1_0

Write dialog between any number of characters quickly and cleanly. Great for translations or short assignments

Package maintainers: 4

CVE-2024-10270
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 3 months ago
Org.keycloak:keycloak-services: keycloak denial of service

A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.

Affected products

keycloak
  • <26.0.6
  • <24.0.9
rhbk/keycloak-rhel9
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
org.keycloak/keycloak-services

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

pkgs.terraform-providers.keycloak

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

Package maintainers: 4

CVE-2023-4727
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): ADJACENT_NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 3 months ago
Dogtag ca: token authentication bypass vulnerability

A flaw was found in dogtag-pki and pki-core. The token authentication scheme can be bypassed with a LDAP injection. By passing the query string parameter sessionID=*, an attacker can authenticate with an existing session saved in the LDAP directory server, which may lead to escalation of privilege.

Affected products

keycloak
  • <11.5.1
pki-core
  • *
pki-core:10.6
  • *
redhat-pki:10
  • *
pki-core:10.6/pki-core
redhat-pki:10/pki-core

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

pkgs.terraform-providers.keycloak

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

Package maintainers: 4

CVE-2024-11738
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 3 months ago
Rustls: rustls network-reachable panic in `acceptor::accept`

A flaw was found in Rustls 0.23.13 and related APIs. This vulnerability allows denial of service (panic) via a fragmented TLS ClientHello message.

Affected products

rustls
  • <0.23.18
rhtas/tuffer-rhel9
rhtas/tuftool-rhel9

Matching in nixpkgs

pkgs.rustls-ffi

C-to-rustls bindings

pkgs.rustls-libssl

Partial reimplementation of the OpenSSL 3 libssl ABI using rustls

Package maintainers: 3

CVE-2024-10492
created 3 months ago
Keycloak-quarkus-server: keycloak path trasversal

A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.

Affected products

keycloak
  • <26.0.6
rhbk/keycloak-rhel9
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
org.keycloak/keycloak-quarkus-server

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

pkgs.terraform-providers.keycloak

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

Package maintainers: 4

CVE-2024-6156
3.8 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 3 months ago
Mark Laing discovered that LXD's PKI mode, until version 5.21.2, …

Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store.

Affected products

lxd
  • <4.0.10
  • <6.1
  • <5.21.2
  • <5.0.4

Matching in nixpkgs

pkgs.lxd-image-server

Creates and manages a simplestreams lxd image server on top of nginx

pkgs.python312Packages.pylxd

Library for interacting with the LXD REST API

pkgs.python313Packages.pylxd

Library for interacting with the LXD REST API

pkgs.terraform-providers.lxd

Package maintainers: 1

CVE-2024-6219
3.8 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 3 months ago
Mark Laing discovered in LXD's PKI mode, until version 5.21.1, …

Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured.

Affected products

lxd
  • <5.21.1

Matching in nixpkgs

pkgs.lxd-image-server

Creates and manages a simplestreams lxd image server on top of nginx

pkgs.python312Packages.pylxd

Library for interacting with the LXD REST API

pkgs.python313Packages.pylxd

Library for interacting with the LXD REST API

pkgs.terraform-providers.lxd

Package maintainers: 1

CVE-2024-3656
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 3 months ago
Keycloak: unguarded admin rest api endpoints allows low privilege users to use administrative functionalities

A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.

Affected products

keycloak
  • <24.0.5
org.keycloak-keycloak-parent

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

pkgs.terraform-providers.keycloak

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

Package maintainers: 4

CVE-2024-52482
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress Ortto plugin <= 1.0.19 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ortto Ortto allows Reflected XSS.This issue affects Ortto: from n/a through 1.0.19.

Affected products

autopilot
  • =<1.0.19

Matching in nixpkgs

pkgs.argocd-autopilot

ArgoCD Autopilot

Package maintainers: 2